What Is Malware?

Malware is the generic name given to malicious code that is designed to disrupt the normal operation of or cause harm to a user’s computer, phone, tablet, or other device. There is a wide range of different malware categories, including but not limited to worms, trojans, spyware, and keyloggers. These terms are often used interchangeably and a growing number of malware variants now incorporate a blend of different techniques.

The vast majority of today’s malware is focused on making money for the malware authors.1 This is typically done by stealing confidential data such as usernames, passwords, credit card details, or other financial particulars. This sensitive information is then used to launch further attacks on individuals and businesses or is sold to other malicious actors. Ransomware, a type of malware that locks a device and requires payment to regain access to files, is increasingly being used to monetize malware.

It is estimated that 390,000 new variants of malware are discovered every day.

Malware is designed to bypass security systems and avoid detection, making it extremely difficult for security teams to ensure that users and the wider business are not adversely impacted. Malware authors implement a variety of methods to achieve this circumvention, including using obscure filenames, modifying file attributes, mimicking legitimate program operations, and hiding processes and network connections. These obfuscation and evasion techniques are helped along by the sheer volume of emerging malware; it is estimated that 390,000 new variants are discovered every day.2

How is Malware Distributed?

There are a number of different ways that malware is distributed, resulting in infected devices. These include:

  • A malicious file attached to a phishing email – The email will likely use social engineering techniques to encourage the recipient to open the attachment. Once opened, the malware code is delivered.
  • A malicious URL link in the body of an email – The email will likely use social engineering techniques to encourage the recipient to click on the link. Once clicked, the URL navigates to a web page that is a malware drop site.
  • A drive-by download – Malware code will be delivered when the user either lands on a malware drop site directly or is redirected to such a page via a malicious advert (malvertising).
  • An infected USB device.
  • Direct network intrusion through exploitation of open ports on perimeter firewalls.
  • A vulnerability in the device's operating system or installed applications – Take, for example, an old, outdated, or misconfigured Flash plugin on a user’s browser. Compromised web sites can be designed to scan a user’s device for such a vulnerability as soon as an individual lands on that page. The malware on said page identifies what vulnerabilities can be leveraged and then delivers specific malware code to exploit the found vulnerability.

Low Barriers To Entry

Up until a few years ago, a cybercriminal needed to have a decent understanding of software engineering, security, and networking to launch a malware attack. But an entire ecosystem has developed that enables malicious actors to build, deploy, and monetize malware for as little as $39.3 In fact, malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) are readily available, cheap to purchase and download, and openly advertised on popular sites. An example of one such website, selling a variety of MaaS options, is shown below.

Malware Seller

Types of Malware

Spyware: Tracks browsing activities and gathers information about a person or organization. Covertly sends this information to another entity for further malicious use or asserts control over a device unbeknownst to the user.

Keyloggers: Records keystrokes made by a user to extract usernames, passwords, and other sensitive information. This information is often used by the cybercriminals for further malicious activity.

Trojans: Disguised as legitimate software to spy on or gain access to the user’s system in order to steal, delete, block, or modify data, as well as to disrupt device or network performance. There are many types of Trojans including a backdoor Trojan that gives the cybercriminals complete remote control of an infected device, a Trojan-DDoS that incorporates a device into a Botnet then used to launch Denial of Service attacks, and an email Trojan that allows a device to be used to launch spam email attacks.4

Worm: Replicates itself from one device, drive, or network to another through network connections. Worms spread automatically, unassisted by human initiation, and self-replicate, consuming bandwidth and overloading web servers.5

Rootkit: Designed to take remote administrative control of a device. Once installed, the malicious actors behind the rootkit can track everything done on the device, run files, install programs and additional malware, and modify software including anti-virus programs. Rootkits are notoriously difficult to detect and remove.6

Ransomware: Encrypts the files on a user’s device or a network’s storage devices. To restore access to the encrypted files, the user must pay a “ransom” to the cybercriminals, typically through a tough-to-trace electronic payment method such as Bitcoin.

Reducing the Risk of Malware Impacting Your Business

Educate the weakest link. The vast majority of malware requires someone to take action to activate the payload. Educating employees about how to recognize and defend against cyber attacks is vital. Many attacks will use email and social engineering techniques to trick the employee into downloading malware or divulging their username and password. As such, training should focus on these common attack vectors. Exercises where employees are sent faux “phishing” emails are effective in coaching users to distinguish between a genuine supplier communication and a phishing email with the subject line “Invoice Attached - please open.”

Patch, patch, patch. Then patch again. As demonstrated by the recent WannaCry and Petya attacks, failing to implement a rigorous approach to patching known security vulnerabilities can leave an enterprise exposed. Even months after the EternalBlue vulnerability was exploited for the WannaCry and NotPetya attacks, it's estimated that at least 38 million PCs remain unpatched.7 It’s relatively simple for cybercriminals to identify unpatched devices and software on an enterprise’s network, and once identified, to take advantage of known vulnerabilities.

It's estimated that at least 38 million PCs remain unpatched.

Back up your data, and back up your backup. To some, this may sound obvious, but malware can encrypt backups stored on network servers. As a result, enterprises need to review their current approach to backups. Are employees backing up important files to a network drive? Are the backups from these devices and the file servers then backed up to a cloud backup service? Are you testing that the backups can be restored? That way, if malware encrypts all local files and backups, an enterprise can still restore them quickly with minimal impact to the business.

Relying on a single layer of security against this evolving barrage is not best practice.

Make it harder for the bad guys—have multiple layers of defense. Cybercriminals spend huge amounts of time and money developing ever-more sophisticated forms of advanced malware that are designed to bypass a company’s security defenses. Relying on a single layer of security against this evolving barrage is not best practice. Utilizing multiple security layers means that if one layer does not block an attack, you have additional overlays that can mitigate the threat. So, what layers of security defense does your company currently have in place? Do you have different security solutions to help mitigate risk during all stages of an attack? Are there current gaps in your security that malicious actors can exploit?

12Kruegel, D. C., Labs Report at RSA: Evasive Malware’s Gone Mainstream. Retrieved from http://labs.lastline.com/evasive-malware-gone-mainstream